What is local.blackjack from Netstat?

Question

When running netstat I noticed the suspicious name blackjack. I wonder if it's malware.

PROMPT> netstat -v
Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)     rhiwat shiwat    pid   epid  state    options
tcp6       0      0  nameofmachine.local.blackjack fe80::c55b:ddf6:.13569 ESTABLISHED 131072 131072    476      0 0x0102 0x00000204
tcp6       0      0  nameofmachine.local.1024      fe80::c55b:ddf6:.1024  ESTABLISHED 131072 131072    476      0 0x0102 0x00000204

Looking up the pid 476

PROMPT> ps ax | grep 476
476   ??  S      0:19.94 /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd

So the process that owns the address seems to be identityservicesd.app, which is an Apple process. This is where my trail ends.

There are other mentions of .blackjack occurring on macOS, see this unanswered Reddit question.

Question: Is it malware?

Answer 1

By giving an extra -n parameter to the netstat command, reveals the port number.

This reveals that blackjack correspond to the port 1025.

PROMPT> netstat -anv
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)     rhiwat shiwat    pid   epid  state    options
tcp6       0      0  fe80::c999:dc6f:.1025  fe80::c55b:ddf6:.13569 ESTABLISHED 131072 131072    476      0 0x0102 0x00000204
tcp6       0      0  fe80::c999:dc6f:.1024  fe80::c55b:ddf6:.1024  ESTABLISHED 131072 131072    476      0 0x0102 0x00000204

In the past, port 1025 seems to have been used for something named network blackjack. Nowadays I doubt that it's still being used for this purpose.

My conclusion is that identityservicesd running on port 1024+1025 is harmless.